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[  FROM  THE  EDITOR] 


Getting 
Stuff  Done 

I  was  scheduled  to  moderate  an  onstage 
panel  with,  among  others,  Jason  Clark,  the 
newly  minted  (at  the  time)  Websense  CSO. 
Clark  had  already  spent  several  years 
as  CISO  at  Emerson,  a  multibillion-dollar 
manufacturing  company,  and  was  strikingly 
young  to  have  already  advanced  so  far  in  his 
career.  (Just  like  you  and  me,  right?) 

Before  the  event,  we  had  a  preparatory 
conference  call  with  all  panelists,  and  at  the 
conclusion  I  said  I  would  send  out  notes  from 
the  conversation  to  let  everyone  know  the 
types  of  questions  we’d  be  covering.  And 
before  we  all  hung  up,  Clark  asked:  “When  did 
you  say  we  should  expect  those  notes?" 

That  question  stuck  in  my  mind,  because  it 
was  clearly  a  technique  Clark  uses  (consciously 
or  not)  to  help  make  sure  expectations  are 
clear  and  promises  delivered  on.  This  was  one 
of  a  few  small  incidents  that  led  to  this  month’s 
cover  story,  “Getting  Stuff  Done”  (Page  20). 
Because  it  isn’t  easy  to  get  stuff  done. 

It’s  clear  what  needs  to  be  done-l  mean, 
it’s  crystal  clear  to  me,  as  it  probably  is  to  you 
in  your  context.  And  it’s  equally  clear  to  others 
in  my  company,  but  their  obvious  solutions 
and  my  obvious  solutions  aren’t  always  the 
same.  Weird!  So  there  are  meetings,  and 
emails,  and  phone  calls,  and  follow-up  emails 
after  the  meetings  and  phone  calls,  and  so 
on.  Proposals  are  made,  rephrased,  reworked, 
scrapped,  revived,  reprioritized. 


Sound  familiar?  And  my  business  unit  isn’t 
even  outrageously  big!  I  marvel  at  those  who 
run  security  in  truly  gigantic  organizations. 

And  sometimes  I  ask  them  the  simple  question: 
How  do  you  get  stuff  done? 

Contributing  writer  Mary  Brandel  spoke 
with  outstanding  security  leaders  at  a  variety 
of  companies  and  gathered  their  advice  on 
getting  stuff  done.  Interestingly,  Brandel  was 
my  boss  many  years  ago,  when  l  was  just  a 
rather  clueless  pup.  I  thought  she  was  a  very 
effective  leader,  with  a  very  positive  style.  And 
personal  style  plays  into  getting  stuff  done. 


Take  the  tips  she’s  collected  and  modify 
them  to  work  with  your  own  approach.  I’m 
sure  you’ll  find  the  article  helpful  in  your  quest 
to  get  stuff  done. 

-Derek  Slater,  dslater@cxo.com 
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[  FROM  THE  PUBLISHER  ] 


Navigating 
the  Political 
Landscape 

It’s  probably  no  big  surprise  to  any  of  you, 
but  the  effectiveness  of  your  organization’s 
risk-management  endeavors  is  directly 
related  to  your  ability  to  navigate  the  quag¬ 
mire  known  as  corporate  politics.  As  security 
and  risk  professionals  have  been  elevated  to 
senior  leadership  positions  (our  readers,  i.e. 
you,  are  more  likely  to  report  to  the  CEO  or  the 
board  of  directors  than  to  the  CIO),  that  skill, 
that  talent-politics-has  become  increasingly 
important.  And  I  have  to  admit  that  we  may 
have  let  you  down  in  that  regard. 

Over  the  past  9-plus  years,  we  have 
focused  a  great  deal  of  our  coverage  in  CSO 
on  helping  you  develop  professionally  and 
helping  you  understand  the  risks  that  we  saw 
emerging.  While  we  spent  a  lot  of  time  helping 
you  sell  the  value  of  security  to  your  business, 

I  think  we  could  have  done  a  better  job  of 
helping  you  learn  the  finer  points  of  politics. 
We  have  prepared  you  for  battle  outside  of 
your  corporate  walls  (physical  or  fire-)  but  for 
battles  in  the  boardroom?  I’m  not  so  sure.  [Edi¬ 
tor’s  note:  Oh  sure,  now  it’s  my  fault.] 

Why  do  I  say  this?  One  need  look  no 
further  that  the  coverage  of  this  year’s  Global 
Information  Security  Survey  in  this  issue  and 
last  month’s.  If  you  recall,  we  found  that  43 
percent  of  you  considered  yourselves  security 
frontrunners  or  leaders.  But  when  we  dug  into 
some  of  the  details  around  that  43  percent,  it 
became  apparent  that  there  were  some  glar¬ 
ing  shortcomings. 

When  we  analyzed  that  data  further,  we 
found  that  most  respondents  (87  percent, 
actually)  had  some  serious  challenges  to  being 
able  to  successfully  sell  the  value  of  security, 
which  is  critical  to  your  ability  to  get  the  sup¬ 
port  of  senior  leadership  in  order  to  get  the 


resources  and  buy-in  necessary  to  deliver  on 
your  strategic  vision  for  security. 

The  politics  come  into  play  when  you  need 
to  convince  the  CEO,  who  juggles  the  compet¬ 
ing  priorities  of  the  business,  that  allocating 
resources  to  security  and  risk  management 
will  deliver  a  better  return  than  giving  those 
same  resources  to  product  development,  mar¬ 
keting,  sales,  or  some  other  line  of  business. 
Security,  we  all  know,  is  not  an  easy  sell. 

But  for  all  security  leaders,  even  those  who 
can  easily  translate  risk  into  a  business  discus¬ 
sion  with  corporate  leadership,  politics  is  the 
next  step  that  must  be  taken  to  succeed.  Now, 
leading  CSOs  find  themselves  in  the  thick  of 
the  debate  over  and  battle  for  resources.  That 
debate  is  politics. 

As  we  endure  another  grinding  election 


cycle  and  the  accompanying  political  battles 
fought  everywhere  from  Washington  to  your 
local  town  or  city  hall,  watch  closely,  take 
notes,  and  when  all  else  fails,  go  buy  The  Art 
of  War  by  Sun  Tzu.  It’s  required  reading  for 
the  CSO  heading  into  the  mahogany-paneled 
hallways  of  the  executive  suite  to  do  battle  on 
the  field  of  corporate  politics. 

-Bob  Bragdon,  bbragdongicxo.com 
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BLOG  POST 

Toxic 

Collaboration? 

Collaboration  can  be  toxic  to  an 
information  security  program. 
Assaulted  by  conflicting  man¬ 
agement  agendas  and  priori¬ 
ties,  the  consensus  needed  for 
success  sometimes  suffers  an  early  death. 
However,  many  organizations  perpetuate 
the  mantra  that  collaboration  is  always  a 
good  idea. 

Unfortunately,  managers’  collective 
memories  tend  to  cling  to  the  outcomes  of 
successful  collaboration  at  the  cost  of  the 
details  that  enabled  those  wins.  In  his  blog 
post  “Collaboration  Is  Misunderstood  and 
Overused,”  Andrew  Campbell  examines 
the  misuse  of  collaboration  and  highlights 
issues  I  have  seen  in  my  consulting  prac¬ 
tice-problems  that  threatened  to  reverse 
the  momentum  gained  after  a  security 
assessment. 

Teamwork  and  collaboration  are  dis¬ 
tinct  approaches  to  harnessing  the  skills 
and  knowledge  of  corporate  stakeholders 
in  order  to  address  a  challenge.  The  former 


emerges  when  a  leader,  or  leadership  team, 
directs  a  group  that  cooperates  to  solve 
a  problem.  According  to  Campbell,  team 
actions  “are  interdependent,  but  they  are 
fully  committed  to  a  single  result.”  This 
requires  an  outcome -focused  management 
style,  where  individual  or  group  differ¬ 
ences  are  sublimated  for  the  benefit  of  the 
team.  “Team  members  may  dislike  each 
other.  They  may  disagree  on  important 
issues.  They  may  argue  disruptively.  But 
with  a  good  leader,  they  can  still  perform,” 
says  Campbell. 

Collaboration  differs  in  that  it  lacks 
a  central  leader.  According  to  Campbell, 
those  involved  “will  have  some  shared  goals, 
but  they  often  also  have  competing  goals. 
Also,  the  shared  goal  is  usually  only  a  small 
part  of  their  responsibilities.”  Complicating 
things  further  is  the  lack  of  a  conflict  reso¬ 
lution  mechanism  normally  provided  by  a 
team’s  leadership  structure.... 

What  makes  collaboration  succeed  when 
it  is  used  appropriately?  Stakeholders’  emo¬ 
tional  engagement  and  mutual  respect,  cou¬ 
pled  with  a  governance  structure,  increases 
the  chance  of  success.  Campbell  advises  that 
managers  “avoid  relying  on  a  collaborative 
relationship  except  in  the  rare  case  when  a 
company  objective  is  important  enough  to 
warrant  some  collaborative  action  but  not  so 
important  as  to  warrant  a  dedicated  team.” 

Realizing  the  value  of  security  invest¬ 
ments  requires  teamwork.  However,  corpo¬ 
rate  teams  play  in  a  competitive  arena  that 
demands  flexibility  and  responsiveness. 
Managers  must  be  ready  to  recognize  when 
to  use  tactical  collaboration  for  the  benefit 
of  team  strategy.... 

[Read  the  full  post  at  http -.//blogs,  csoonline 
.  com/l 752/the_  dark_side_  of_  collaboration  ] 

—Steve  Fox 
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mm  As  advanced  persistent  threats  grow  in  sophistication  and 
■  frequency,  CSOs  need  confidence  that  their  security  measures 
are  protecting  their  enterprises. 


Recent  high-profile  security  breaches  highlight  the  critical 
need  for  enterprise  CSOs  to  secure  internal  networks 
against  pernicious  advanced  persistent  threats.  Today's 
APTs  use  a  variety  of  social  engineering,  personalized 
techniques  and  highly  sophisticated  tools  to  obtain  or 
change  company  information,  making  it  difficult  to 
discover,  prevent  or  remove  the  threats. 

IDG  Research  Services  recently  surveyed  enterprise  se¬ 
curity  professionals  about  APTs.  Among  the  respondents, 
55  percent  said  that  hearing  of  an  APT  breach  at  a  major 
security  vendor  last  March  had  increased  their  level  of 
concern.  Additionally,  nearly  half  said  that  they  have  ex¬ 
perienced  APT-like  security  breaches  such  as  suspicious, 
well-targeted  or  customized  malware  attachments  within 
the  past  12  months.  As  one  respondent  said,  "Although 
we  have  many  common/best  practice  security  controls, 
you  can  never  be  extremely  confident  that  you  will  not 
experience  a  breach.  It  is  a  question  of  when,  not  if." 

The  widespread  use  of  mobile  devices,  cloud  computing 
and  social  networking  intensifies  security  concerns.  Com¬ 
monly  used  security  measures— firewalls;  encryption;  and 
static,  one-time  passwords  (OTPs)— no  longer  provide 
adequate  defense  against  pernicious  APTs. 

Key  logging  malware,  insider  threats  and  laptops  out¬ 
side  the  perimeter  expose  Windows  log-ins  to  compro¬ 
mise.  Passwords  can  be  easily  stolen  or  cracked.  Static 
passwords  are  almost  obsolete  for  protecting  employee 
credentials  and  enterprise  data,  yet  most  enterprises 
still  rely  on  them  for  Windows  log-in,  server  access  and 
cloud-based  applications. 

Multi-layered  Approach 

The  first  step  in  bridging  a  security  gap  is  to  implement  a 
multi-layered  enterprise  identity  assurance  solution 
that  requires  strong  authentication  to  access  VPN, 
Windows  Login,  Server  access,  and  Cloud  applications. 

To  mitigate  risk,  the  online  identities  of  users  accessing 
an  organization's  resources  must  be  clearly  verified.  At 
the  same  time,  identity  assurance  solutions  must  be 
cost-effective,  easy  to  manage  and  flexible  enough  to 
accommodate  the  unique  needs  of  different  groups  of 
users  within  a  larger  organization. 


CSO  Take-Aways 

■  55%  of  survey  respondents  said  they  are  increasingly 
concerned  about  the  dangers  and  prevalence  of 
Advanced  Persistent  Threats  (APTs). 


■  Perimeter  security  is  viewed  as  inadequate  against 
APTs.  Multi-layered  strong  authentication  is  crucial 
at  inhibiting  APTs. 


■  49%  of  IT  respondents  to  an  IDG  Research  survey 
believe  smart  cards  (or  smart  USB  tokens)  are  highly 
effective  at  limiting  APTs. 


As  enterprises  realize  that  perimeter  defense  systems 
no  longer  provide  adequate  protection  against  targeted 
attacks,  a  multi-layered  approach  to  network  security 
has  become  essential.  Multi-layered  security,  which 
incorporates  strong  authentication  such  as  smart  cards 
and  advanced  OTP,  can  deter  APTs,  validate  and  authen¬ 
ticate  users'  access  to  enterprise  resources  and  inhibit 
an  attacker's  ability  to  escalate  account  privileges  or  leap 
laterally  to  compromise  other  users'  accounts. 

Activldentity  provides  enterprise  identity  assurance 
solutions  that  deliver  multilayered,  strong  authentica¬ 
tion  that  protects  against  increasingly  sophisticated 
advanced  persistent  threats  while  optimizing  security, 
convenience  and  affordability.  Activldentity  delivers 
complete  strong  authentication  versus  traditional  OTP, 
extending  access  protection  to  Windows  desktops, 
servers,  networks,  enterprise  systems  and  cloud-based 
applications.  Activldentity's  uniquely  powerful  and  con¬ 
venient  security  solution  is  available  as  an  appliance 
for  rapid,  easy  deployment  to.address  all  your  strong 
authentication  and  credential  management  needs. 


To  download  the  free  white  paper  on  this  exclusive 
research,  go  to  www.csoonline.com/whitepapers/ 
actividentity/apt. 
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HOW  DID  MILITARY  DRONES  GET 
INFECTED  WITH  KEYLOGGERS? 

The  discovery  of  malware  in  the  control  systems  of  unmanned  aircraft  leaves  everyone  wondering: 
How  did  it  get  there,  what  is  its  purpose,  and  is  the  military’s  own  monitoring  software  to  blame? 


As  you’ve  probably  heard  by  now,  a 
rather  tenacious  keylogger  has 
reportedly  infected  an  Air  Force 
command  center  for  unmanned 
aerial  vehicles  at  the  Creech  Air  Force  Base 
in  Nevada. 

Drones  have  become  increasingly 
important  to  U.S.  military  efforts;  they’re 
used  to  both  gather  intelligence  and 
launch  attacks,  such  as  the  controversial 
killing  in  September  of  U.S.-born  militant 
cleric  Anwar  al-Awlaki.  One  New  York 
Times  report  says  that  the  Pentagon  has 
roughly  7,000  aerial  drones,  up  from  fewer 
than  50  a  decade  ago,  and  that  Congress  is 
seeking  nearly  $5  billion  for  drones  in  next 
year’s  budget. 

According  to  reports,  the  keylogger 
was  detected  about  two  weeks  ago  by 
the  military’s  own  intrusion-prevention 
systems  and  host-based  firewall.  The 
military  has  tried  to  remove  the  suspected 
malware,  but  it  keeps  returning. 

“The  first  thing  I  thought 
when  I  saw  this  was  that  it  was 
a  keylogger  on  a  ground-based 
system,  not  on  the  drones  itself. 

That’s  a  much  less  scary  scenario 
than  having  a  drone  system, 
which  could  be  theoretically  dis¬ 
connected  from  control  at  any  time,  infected 
with  code,”  says  Chris  Wysopal,  computer 
security  expert  and  CTO  of  application  security 
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firm  Veracode. 

With  no  clear  answers  yet  as 
to  how  the  keylogger  managed 
to  finagle  its  way  onto  sensitive 
and  classified  systems,  questions 
remain  about  the  code’s  origin  and  what  its 
makers  intend  to  use  it  for. 

Dave  Lewis,  security  researcher  and  con- 


A  predator  unmanned  aircraft. 


tributing  analyst  at  the  security  research  firm 
Securosis,  says  his  money  is  on  a  contractor 
as  the  culprit.  Lewis  says  the  challenge  there 
is  that  contractors  are  trusted  advisers,  often 
with  minimal  background  checks,  who  are 
more  apt  to  break  policy  and  use  systems  not 
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directly  managed  by  the  government. 

“They  have  the  means  and  the  opportu¬ 
nity,”  says  Lewis. 

Others,  such  as  Gartner  security  and 
compliance  research  director  Ian  Glazer, 
wonder  if  the  keylogger  could  be  the 
military’s  own  software,  placed  on  the 
systems  as  someone’s  way  of  conducting 
oversight. 

Computing  expert  Miles  Fidelman 
posted  his  thoughts  along  similar  lines 
on  a  popular  security  mailing  list:  “After 
seeing  this,  from  a  few  sources,  I’m 
reminded  that  there  are  a  couple  of 
vendors  who’ve  been  selling  the  Defense 
Department  security  monitoring  pack¬ 
ages  that  are  essentially  rootkits  that 
do,  among  other  things,  key  logging,”  he 
wrote.  “I  kind  of  wonder  if  the  virus  that 
folks  are  fighting  is  something  that  some 

“I  kind  of  wonder 
if  the  virus  that 
folks  are  fighting 
is  something  that 
some  other  part 
of  DoD  deployed 
intentionally.” 

-MILES  FIDELMAN 

other  part  of  DoD  deployed  intentionally.” 

Others  speculate  that  the  infection 
vector  was  most  likely  a  familiar  user 
mistake,  such  as  plugging  in  an  infected 
removable  drive,  or  surfing  to  the  wrong 
website. 

“Just  because  classified  systems  are 
air-gapped  doesn’t  mean  that  people 
aren’t  making  the  mistake  of  plugging  in 
USB  drives  and  doing  other  things  they 
shouldn’t,”  says  Wysopal. 

Also,  it’s  possible  for  these  types 
of  systems  to  become  infected  during 
upgrades  and  system  updates.  “If  it’s 
custom  code,  traditional  scanning  of 
storage  media  may  not  detect  it.  Essen¬ 
tially,  there  are  many  ways  for  this  type 
of  thing  to  happen,  despite  the  systems 
being  on  relatively  controlled  networks,” 
he  says. 

-George  V.  Hulme 


Q&A 

Hey,  CSOs:  Suck  It  Up 
and  Accept  Budget  Cuts 

For  ideas  on  how  IT  security  pros  might  be  able  to  close  the  communication  gap 
with  business  leaders,  we  turned  to  Eric  Cowperthwaite,  CISO  of  Providence 
Health  and  Services. 

Providence  runs  28  hospitals  and  has  more  than  50,000  employees  in 
Washington,  Oregon,  California,  Alaska  and  Montana.  Cowperthwaite  has  more  than 
25  years  of  experience  in  security  and  risk  management,  in  both  military  and  civilian 
organizations.  He  also  knows  something  about  what  it’s  like  to  be  found  in  violation 
of  security  regulations  and  what’s  necessary  to  fix  it. 

CSO:  A  lot  of  organizations  are  pulling  back  on  their  security  spending, 
and  the  reason  given  for  the  cuts  is  often  the  economy.  Do  you  think  they’re 
cutting  security  specifically,  or  are  the  cuts  a  reflection  of  fewer  IT  deploy¬ 
ments,  so  IT  security  is  shrinking  because  the  overall  IT  spend  is  shrinking? 

Eric  Cowperthwaite:  I  think  that  overall  IT  investments  are  flat  or  down  in 
many  organizations.  I  would  also  argue  that  for  a  decade  IT  security  has  been  given 
carte  blanche  increases  in  its  budgets.  And  when  the  financial  meltdown  hit,  COOs 
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“The  fact  is  that  the  days  of 
just  throwing  money  at  the 
security  problem  are  over.” 

-ERIC  COWPERTHWAITE 


I  and  CFOs  looked  at  that  IT  security  spending  and  said,  “You  know 
what?  All  the  rest  of  our  business  has  to  live  within  a  budget  that 
makes  sense  and  they  have  to  demonstrate  value:  How  about  if  you 
did  the  same?”  Also,  many  IT  groups  within  businesses  have  had  to 
take  across-the-board  hits,  and  so  did  IT  security  for  the  first  time 
in  a  decade. 

Many  IT  security  managers  whined  about  the  cuts  and  don't 
think  they  are  necessary,  and  possibly  downright  dangerous.  I  think 
they  are  clearly  on  the  wrong  side  of  the  argument  and  reacting  in 
the  wrong  way. 

Some  CSOs  say  that  IT  security  has  been  underfunded 
long-term,  and  that  increases  in  spending  were,  or  are  still, 
needed  to  catch  up  to  where  they  need  to  be.  With  that  argu¬ 
ment  in  mind,  how  do  you  think  they  should  be  reacting? 

Cowperthwaite:  They  should  be  reacting  by  saying,  “I  agree.  I 
need  to  take  a  five  percent  cut  just  like  the  rest  of  the  company  and 
still  figure  out  how  to  do  my  job  just  as  well  as  I  did  it  yesterday,  if 
not  even  better."  The  heads  of  various  business  units  are  not  say¬ 
ing,  “Hey,  sorry  boss,  I  can’t  cut  my  budget.  I  don’t  care  if  revenue 
fell.”  The  fact  is  that  the  days  of  just  throwing  money  at  the  security 
problem  are  over,  which  I  think  is  a  good  thing  because  just  throw¬ 
ing  tech  at  the  problem  hasn’t  worked.  More  broadly,  however, 
what  has  happened  simultaneously  duringthe  decade  of  almost 
unlimited  expansion  of  security  budgets,  we  also  had  10  years  of 
promoting  people  into  information  security  leadership  positions 
who  weren’t  groomed  as  business  leaders. 

Many  security  professionals  contend  that  business 
leaders  don't  understand  security,  and  that  they  can't  get  executives  to  pay 
attention  to  the  risks. 

Cowperthwaite:  It’s  the  security  pro’s  job  to  help  business  leaders  understand 
the  risks  and  how  IT  security  can  mitigate  risk  and  protect  the  business.  But  most 
security  pros  are  too  technical.  And  I  have  a  feeling  SQL  injection  and  man-in-the- 
middle  attacks  shouldn’t  be  a  part  of  the  presentation.  However,  if  you  can’t  demon¬ 
strate  the  risks  to  the  business,  then  maybe  you  shouldn’t  be  in  that  role.  They  don’t 
want  to  hear  about  the  technical  details.  They  expect  you  to  know  about  those  things 
and  talk  to  your  technical  folks  about  those  things. 

They  want  to  hear  from  you  about  how  preventing  malicious  access  is  an  issue 
that  they  need  to  deal  with.  They  want  to  hear  how  you  can  actually  reduce  the 
company’s  operating  expense  for  security  incidents  by  doing  X,  Y  and  Z.  Remember, 
a  security  incident  hits  operating  expenses  and  it’s  unplanned,  which  means  that  it 
comes  directly  out  of  net  operating  income.  If  you  have  a  security  incident,  that  is 
almost  certainly  going  to  impact  your  quarterly  earnings  statement,  and  your  CFO 
very  much  cares  about  that. 

So  if  you  can  show  your  CFO  that  last  quarter  these  are  the  security  events  that 
happened,  and  here’s  how  much  they  cost,  and  they  were  a  hit  to  net  operating 
income,  then  you’ll  have  their  attention.  They  also  will  then  be  more  willing  to  hear 
about  things  you  are  doing  to  reduce  the  costs  of  such  breaches  in  the  future.  And  if 
you  do  need  more  tools  or  organizational  changes  to  get  it  done,  you’ve  just  made  a 
strong  business  case.  -G.V.H. 
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MySecurityScore.  com 


November  2011  www.csoonline.com  11 


>>  BRIEFING 


SALTED  HASH 


Steve  Jobs’  Information  Security  Legacy 


NOT  MUCH  has  been  said  about  the 
security  of  Apple’s  products  in  the  wake 
of  Steve  Jobs’  passing.  Now  may  not  be 
the  time,  but  I’m  going  there  anyway. 

Jobs’  vision  changed  the  way  we  live. 
We  get  our  music  differently.  We  work 
differently.  We  play  differently.  There’s 
a  lot  to  thank  him  for. 

But  there  will  be  security  issues  to 
deal  with  in  the  land  of  Apple. 

I  don’t  point  that  out  to  be  insult¬ 
ing,  though  I’ve  learned  over  time  that 
Apple  enthusiasts  are  quick  to  take 
offense. 

They  are  so  devoted  to  the  technol¬ 
ogy— and  have  been  so  lucky  to  date  in 
not  seeing  the  same  level  of  attacks  that 
Microsoft  users  have  seen— that  many 
refuse  to  accept  that  the  devices  they 
revere  come  with  risks. 

We’re  starting  to  see  the  security 
risks  (just  look  at  all  the  Mac  vulnera¬ 
bilities  we’ve  seen  of  late),  but  attackers 
are  only  getting  warmed  up,  testing  the 
defenses  and  seeing  what  kind  of  dam¬ 
age  they  can  do. 

With  the  iPhone  and  iPad  so  ubiqui¬ 
tous  in  work  and  at  home,  the  bad  guys 
now  have  all  the  reason  in  the  world  to 


make  these  devices  their  number-one 
target.  It’s  going  to  happen. 

But  Apple  will  deal  with  it,  just  as 
Microsoft  had  to  deal  with  its  security 
problems  in  the  last  decade.  Apple,  in 
fact,  is  already  working  on  it. 

CSO  contributing  writer  George  V. 
Hulme  wrote  in  March  about  how  recent 
steps  taken  by  Apple  show  a  concerted 
effort  by  the  company  to  strengthen  the 
security  of  its  Macintosh  computing 
platform.  He  wrote  at  the  time: 

“Proactively  engaging  with  the  Apple 
security  community  is  Apple’s  most  recent 
move  in  what  appears,  from  the  outside,  to 
be  the  company  stepping  up  its  security 
game.  Earlier  this  year  Apple  reportedly 
hired  noted  software  security  expert  David 
Rice. 

“That  personnel  move  followed  the  hir- 
ing  of  Window  Snyder,  former  security  lead 
at  Mozilla,  last  year. 

‘“They’ve  hired  a  number  of  high-profile 
people,  ’  says  Rich  Mogul,  founder  and 
analyst  at  research  firm  Securosis.  ‘[The 
new  hires  have]  since  fallen  into  the  Apple 
vacuum,  but  I  most  definitely  get  the 
feeling  that  Apple  is  taking  security  more 
seriously.  ’ 


“Also,  two  independent  sources  close  to 
Apple  report  that  the  company  is  aligning 
a  security  member  as  part  of  each  product 
team,  though  CSO  has  not  been  able  to 
confirm  this.  ” 

Steps  like  this  can  only  be  good  news 
for  consumers  of  Apple  products,  and 
for  enterprises  and  Apple’s  own  ambi¬ 
tion  to  gain  a  larger  piece  of  corporate 
sales. 

Steve  Jobs  didn’t  get  to  have  his 
security  moment  like  Bill  Gates  did  in 
2002  when  he  sent  out  the  Trustworthy 
Computing  memo,  but  I  doubt  that  lack¬ 
ing  that  one  accomplishment  bothered 
him  too  much. 

The  security  push  now  falls  to  his 
successors. 

I  wish  them  well,  and  I  thank  Jobs 
again  for  his  many  contributions  to 
society. 

He  has  certainly  made  our  lives 
more  fun. 

—Bill  Brenner 

ICSOonline’s  new  Salted  Hash 
blog  and  newsletter  cover 
the  news  as  it  happens: 
blogs.csoonline.com/biog/cso 
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INDUSTRY  NEWS 

IBM  Acquires  Q1  Labs 

IBM  has  announced  that  it  plans  to  buy  Q1  Labs, 
a  vendor  specializing  in  security-intelligence  software 

The  move  “aims  to  accelerate  IBM’s  efforts  to  help  clients  more  intelligently 
secure  their  enterprises  by  applying  analytics  to  correlate  information 
from  key  security  domains  and  creating  security  dashboards  for  their 
organizations,"  IBM  said  in  a  press  release. 

01  Labs  will  join  the  newly-formed  IBM  Security  Systems  division.  The  divi¬ 
sion  will  reportedly  be  led  by  Brendan  Hannigan,  CEO  of  Q1  Labs. 

More  from  the  press  release: 

“The  new  division  will  target  a  $94  billion  opportunity  in  security  software 
and  services,  which  has  a  nearly  12  percent  compound  annual  growth  rate, 
according  to  IBM  estimates.  Ql  Labs  will  join  the  more  than  10  strategic  security 
acquisitions  IBM  has  made  in  the  last  decade  and  the  more  than  25  analytics- 
related  purchases,  including  the  recently  announced  acquisition  of  security 
analytics  software  firm,  i2.” 

Says  Ql  Labs’  Hannigan,  “Since  perimeter  defense  alone  is  no  longer  capable 
of  thwarting  all  threats,  IBM  is  in  a  unique  position  to  shift  security  thinking  to 
an  integrated,  predictive  approach.”  He  goes  on,  “Ql  Labs'  security  analytics  will 
add  greater  intelligence  to  IBM’s  security  portfolio  and  continue  to  distinguish 
IBM  from  competitors.” 

-B.B. 


McAfee  Buys  NitroSecurity 

McAfee  says  its  planned  acquisition  of  NitroSecurity,  announced  last 

month,  will  allow  it  to  add  core  security  information  and  event  manage¬ 
ment  (SIEM)  capabilities  to  its  Security  Connected  Framework. 

In  a  statement,  McAfee  said  the  combination  will  give  organizations 
greater  visibility  into  their  enterprise  endpoint  assets,  underlying  network  infra¬ 
structure,  specific  security  threats,  and  risks  and  system  vulnerabilities  across 
their  entire  IT  environments. 

McAfee  says  the  proposed  transaction  will  bring  together  best-in-class 
technologies: 

•NitroSecurity’s  leadership  position  in  the  SIEM  market  will  help  McAfee 
significantly  expand  its  risk  and  compliance  and  global  threat  intelligence 
capabilities. 

•NitroSecurity’s  SIEM,  which  has  already  passed  integration  testing  with 
McAfee  ePolicy  Orchestrator  (ePO),  gives  customers  a  single  security 
platform  for  event  analysis  and  management  across  the  enterprise.  The 
integration  expands  the  capability  of  the  McAfee  ePO  platform  to  view  events, 
activity  and  logs  created  by  networks,  databases  and  applications. 

•The  McAfee  ePO  platform  can  leverage  the  extended  SIEM  capabilities  to 
more  rapidly  institute  a  range  of  monitoring  and  mitigation  actions,  such 
as  issuing  new  configurations,  implementing  new  policies  and  updating 
software. 

“McAfee  is  focused  on  keeping  its  customers  safe  with  optimized  security  and 
risk-management  solutions,”  Stuart  McClure,  general  manager  and  senior  vice 
president  of  risk  and  compliance  at  McAfee,  said  in  the  statement. 

-B.B. 
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>>  BRIEFING 


Security 

Wisdom 

Watch 


We're  learning  more 
about  the  security  of  the 
music  and  video  apps 
people  increasingly  use  at 
work,  and  it’s  not  pretty 

Thumbs  both  ways:  YouTube: 
There’s  a  ton  of  useful  informa¬ 
tion  security  videos  on 
the  site,  but  hackers  are 
getting  good  at  hijacking 
popular  channels.  The 
people  behind  Sesame  Street’s 
YouTube  videos  learned  that  the  hard 
way  after  someone  hacked  the  chan¬ 
nel  and  replaced  wholesome  toddler 
entertainment  with  hardcore  porn. 

Thumbs  both  ways:  Spotify:  We’re 
quickly  getting  addicted  to  this 
music  sharing  program.  For  no 
fee,  you  can  access  every 
album  known  to  man  and 
enjoy  it  while  you  work  at 
your  desk.  But  its  tighter 
integration  with  Facebook 
means  users  face  the  same  privacy 
risks  they  do  on  the  social  networking 
site.  They  don’t  really  care,  but  their 
IT  security  people  do. 

Thumbs  up:  iTunes:  Apple  has  had 
to  fix  several  security  holes  in 
recent  years,  but  with  a  rapidly 
growing  target  on  its  back,  the 
empire  that  Steve  Jobs  left 
behind  is  taking  steps  to  up  its 
security  game. 

Thumbs  down:  Adobe  Flash:  Most 
of  us  have  relied  on  Flash  to  play 
multimedia  content  for  a  long 
time,  and  the  bad  guys  have 
had  an  easy  job  of  attacking  its 
vulnerabilities.  It  hasn’t  improved 
much,  which  is  one  of  the  reasons 
Microsoft  is  talking  about  a  Flash- 
free  Windows  8.  Few  would  shed  a 
tear  over  its  demise.  -B.B. 


Verbatim... 


Shots  heard  ’round  the  security  world 


“YOU 

have  to  wonder 
what  was  going 
through  the  mind 
of  whoever  hacked 
Sesame  Streets 
YouTube  page.” 

-Sophos  security  consultant 
Graham  Cluley,  after  someone 
hijacked  the  Sesame  Street 
YouTube  channel  and  filled 
it  with  pornography 


“Malvertising 
poses  a  serious 
risk  to  [the  reputation 
and  revenue  online 
of]  publishers  and  their 
customers.  Highly  publicized 
malvertising  infections  can 
damage  the  reputation  of  even 
the  most  trusted  online  sites.” 


-Fran  Rosch,  vice  president  of  identity  and 
authentication  services  at  Symantec, 
after  scareware  spread  from 
Torrent  Site  via  malvertising 


“We  felt  it  important  to  declassify 
portions  of  the  information  associated 
with  this  event  to  ensure  the  public 
understands  that  the  detected  and  quarantined 
virus  posed  no  threat  to  our  operational 
mission  and  that  control  of  our  remotely 
piloted  aircraft  was  never  in  question.” 

-Col.  Kathleen  Cook  of  Air  Force  Space  Command,  after  a 
gaming  keylogger  was  found  on  systems  inside  the 
Nevada  Air  Force  base  that  directs  U.S.  drone 
missile  attacks 


“This, 

I'm  afraid,  is 
aseriousthreat.lt 
means  that  anyone 
who  uses  the  same 
email/password  on  other 
systems  is  now  vulnerable 
to  a  malicious  attacker 
using  that  information  to 
access  their  account.” 


“In  this  case, 
we're  talking  Sirefef 
(ZeroAccess  aka  Max++), 
probably  the  nastiest  piece 
of  malware  circulating 
on  the  Net  right  now.” 


-Alex  Eckelberry,  vice  president  and  general 
manager  of  the  security  software  division 
at  GFI,  on  how  searchingfor  “Flash 
Player"  on  Bing  and  Yahoo  can  lead 
to  rogue  pages  distributing  a 
hard-to-remove  rootkit 


-WineHQ  developer  Jeremy  White, 
regarding  the  breach  of  a  database 
used  for  Wine,  an  open-source 
technology  that  lets  users  install 
and  run  Windows  applications  on 
Linux,  Mac,  Solaris  and  other 
operating  systems 
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Cops  Arrest  111,  Break  Up  5 
ID  Theft  Rings  in  One  Swoop 

Restaurant  workers  and  bank  insiders  are  charged  in 
what’s  billed  as  the  largest-ever  ID  theft  roundup 

Prosecutors  call  it  the  biggest  identity-theft  bust  in  U.S.  history.  Early  last 
month,  111  bank  tellers,  retail  workers,  waiters  and  alleged  criminals  were 
charged  with  running  a  credit-card-stealing  organization  that  made  off  with 
more  than  $13  million  in  less  than  a  year  and  a  half. 

“This  is  by  far  the  largest-and  certainly  among  the  most  sophisticated-identity 
theft/credit  card  fraud  cases  that  law  enforcement  has  come  across,”  the  Queens, 
New  York  districty  attorney’s  office  said  in  a  statement  announcing  the  arrests. 

The  credit  card  numbers  came  from  far  and  wide.  They  were  gathered  in  skim¬ 
ming  operations  in  the  United  States,  where  restaurant  employees  or  retail  cashiers 
were  paid  to  steal  credit  card  data  from  customers;  picked  up  in  carder  forums  on 
the  Internet,  where  hackers  trade  tips  and  stolen  data;  and  gathered  from  shady 
overseas  suppliers  in  countries  such  as  Russia,  China  and  Libya. 

In  all,  five  card-theft  rings  were  targeted  in  the  two-year  law  enforcement 
effort  dubbed  Operation  Swiper.  Between  them,  they  ran  the  full  gamut  of  criminal 
activities  required  to  steal  credit  card  numbers  and  convert  that  data  into  cash, 
prosecutors  say. 

Of  the  defen¬ 
dants,  86  are  in 
custody;  police 
are  looking  for 
the  remain¬ 
ing  25. 

The  accused 
are  charged 
with  running 
a  thoroughly 
modern  identity 
theft  ring  that 
included  ID 
thieves,  skim¬ 
mers,  card  mak¬ 
ers,  fences  and  shopping  crews-groups  that  would  buy  thousands  of  dollars  worth 
of  merchandise  in  stores  throughout  the  country. 

“Many  of  the  defendants  charged  today  are  accused  of  going  on  nationwide 
shopping  sprees,  staying  at  five-star  hotels,  renting  luxury  automobiles  and  private 
jets,  and  purchasing  tens  of  thousands  of  dollars  worth  of  high-end  electronics,”  the 
Queens  DA  office  says. 

During  the  raid,  police  seized  “a  box  truck  full  of  electronics,  computers,  shoes 
and  watches,  skimmers,  card  readers,  embossers  and  various  amounts  of  raw  mate¬ 
rial,  such  as  blank  credit  cards  and  fake  identifications,”  the  DA’s  office  said. 

Six  of  the  accused  are  charged  with  stealing  $850,000  worth  of  computer  equip¬ 
ment  from  a  Citigroup  building  in  Long  Island  City  last  August.  Prosecutors  say  that 
a  former  Citi  employee  and  a  security  guard  under  contract  to  Citigroup  helped  with 
the  theft. 

Apple,  Best  Buy,  Nordstrom,  Macy’s  and  many  financial  institutions,  includ¬ 
ing  Citi,  Chase  Bank  and  Bank  of  America,  are  credited  with  helping  with  the 
investigation. 

-Robert  McMillan 
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TOOLS,  TECHNOLOGIES  AND  TACTICS 

By  Joseph  Guarino 


10  Steps  to  Secure  Browsing 
in  the  Enterprise 

Keep  users  safe  (or  safer)  by  thinking  holistically  about  Web  security 


It  goes  without  saying  that  the  Inter¬ 
net  isn’t  a  safe  place— it’s  a  veritable 
jungle.  In  the  world  of  browsers,  we, 
the  users,  are  seen  as  a  delicious  and 
commonly  exploited  target  by  many 
adversaries.  Much  like  in  the  real  jungle, 
we  most  often  fall  prey  to  lurking  predators 
that  bring  us  down  using  spear  phishing, 
drive-by  downloads  and  all  manner  of  mal¬ 
ware.  The  browser  itself,  Java,  Javascript, 
HTML5  and  plug-ins  such  as  Adobe  Flash 
allow  us  great  opportunities  to  use  rich 
applications,  but  they  also  open  the  door 
wide  to  cybercriminals. 

Every  technology  has  a  downside  that 
will  be  exploited.  As  a  result,  the  browser, 
often  called  the  universal  client,  is  an  ever¬ 
growing  conduit  of  malware  into  the  mod¬ 
ern  enterprise.  Truth  is,  malware  and  its 
risks  are  ever  evolving  with  the  demands  of 
cybercriminals  and  black  hats,  and  brows¬ 
ers  just  happen  to  be  a  particularly  soft  and 
tantalizing  target.  Unfortunately,  history 
has  shown  us  that  the  trend  is  only  accel¬ 
erating.  Despite  the  more  recent  evolution 
of  additional  security  features,  the  browser 
remains  a  good  soft  target  when  care  isn’t 
taken  to  lock  it  down  in  your  enterprise. 

It’s  possible  to  improve  your  browser 
security  stance  by  making  some  changes 
to  people,  procedures  and  technology.  We 
don’t  have  to  be  lunch  for  the  piranhas  or 
a  quick  snack  for  the  tiger;  we  can  defend 
ourselves  in  the  Internet  jungle.  Here  are  my 


top  to  recommendations  for  improving  the 
security  of  your  browsing  environment. 

1.  Holistic  Patch  Management 

Patch  management  is  nothing  new,  but  it’s 
rarely  done  in  a  holistic,  all-encompassing 
way.  Most  organizations  do  a  great  job  of 
patching  core  operating  systems  but  some¬ 
times  neglect  associated  core  Web  technolo¬ 


gies  such  as  Adobe  Flash  and  Reader,  Apple 
Quicktime,  and  Java.  Holistic  patch  manage¬ 
ment  addresses  the  entire  desktop  of  native 
and  third-party  applications,  including  the 
browser  and  all  its  associated  plug-ins,  in  a 
comprehensive  way. 

As  if  the  complexity  of  the  desktop 
isn’t  enough,  consumerization  (the  effort 
of  many  users  to  bring  their  own  device 
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illustration  by  John  Weber 
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f5.com/smartersecurity. 


m 


>>  TOOLBOX 


into  the  enterprise)  introduces  new  perils 
in  both  patch  management  and  security. 
Whether  it’s  the  executive  who  wants  to  use 
a  shiny  new  tablet  with  known  unpatched 
vulnerabilities  or  the  user  who  wants  to 
use  a  smartphone  running  an  ancient  and 
exploitable  browser,  patches  must  be  kept 
up  to  date.  A  coherent,  holistic  effort  to 
patch  is  helpful  in  defending  against  a  mul¬ 
titude  of  known  vulnerabilities.  Obviously 
it  isn’t  a  panacea— nothing  is— and  you  can’t 
fix  zero  day  vulnerabilities,  but  by  address¬ 
ing  what  you  can,  you’ll  reduce  your  risks 
and  costs. 

2.  Browser  Lockdown 

Although  I’m  a  user  of  open-source  soft¬ 
ware  such  as  Mozilla  Firefox  and  Google 
Chrome,  I’m  going  to  address  browser 
security  with  a  focus  on  the  browser  with 
the  most  market  share  in  the  enterprise: 
Microsoft  Internet  Explorer.  All  current 
browser  usage  statistics  put  Explorer  at 
the  top  of  the  heap,  and  because  Microsoft 
dominates  the  corporate  desktop  space,  its 
penetration  there  is  even  greater. 

Microsoft  has  made  many  strides  in 
beefing  up  Internet  Explorer’s  security,  and 
many  of  those  are  available  in  the  Active 
Directory  through  Group  Policy.  The  Active 
Directory  is  not  only  a  centralized  direc¬ 
tory  service  offering  authentication  and 
authorization  for  your  Windows  domain, 
but  it  also  can  control  security  policies 
throughout  your  Windows  environment. 
Group  Policy  allows  administrators  to  cen¬ 
trally  control  the  configuration  of  Internet 
Explorer  and  thus  efficiently  lock  down  an 
entire  enterprise’s  browsers. 

Internet  Explorer  versions  8  and  9  offer 
nearly  1,500  configurable  settings,  so  you 
would  be  hard-pressed  to  say  it’s  not  flex¬ 
ible  enough  to  meet  your  security  require¬ 
ments.  Of  particular  use  to  the  enterprise 
is  the  ability  to  control  the  user  interface  by 
disabling  certain  menus  or  configuration 
options,  tweaking  security  zones  (which 
allow  you  to  set  the  level  of  trust  that  the 
client  or  browser  should  have),  setting  up 
smart  screen  filters  (which  help  protect 
from  malicious  phishing  or  malware  sites), 
using  Active  X  control  and  filtering  (which 
provide  the  ability  to  control  add-ons),  man¬ 
aging  and  blocking  downloads,  and  more. 

Books  have  been  written  on  this  sub¬ 
ject,  but  suffice  it  to  say  you  might  want  to 


explore  these  features  to  further  lock  down 
your  enterprise  browsers. 

3.  Filtering  Proxy  with 
Malware  Scanning 

As  an  additional  layer  of  security  and  as  part 
of  an  effort  to  add  depth  to  your  defenses, 
a  filtering  proxy  with  malware  scanning 
can  prove  invaluable.  Vendors  offer  prod¬ 
ucts  such  as  unified  threat  management 
devices  and  dedicated  filtering  proxies 
with  advanced  Layer  7  filtering  and  anti¬ 
malware  scanning.  These  devices  allow 
you  to  have  additional  deep  application- 
layer  insight  into  the  traffic  coming  into 
your  enterprise;  coupling  them  with  URL 
blocking,  malware  scanning  and  enhanced 
logging  should  provide  overall  cost  reduc¬ 
tion  and  performance  improvement. 

4.  Evolved  Anti- 
Malware  Defense 

Anti-malware  has  evolved  from  simple 
signature  and  engine  models  and  can  now 
include  heuristics  or  behavior-based  func¬ 
tions.  This  is  a  welcome  evolution  in  light  of 
today’s  many  Web  threats. 

Features  such  as  malicious  URL  detec¬ 
tion,  advanced  client-side  firewalls,  light 
host  intrusion  detection,  sandboxing  and 
white-  or  blacklisting  applications  are 
all  now  available.  These  anti-malware 
defenses  add  an  additional  layer  of  proac¬ 
tive  defense  to  your  enterprise  at  one  of  its 
key  weak  points.  Your  anti-malware  suite 
should  have  many  of  these  core  features 
and  great  management  tools  to  maintain  it 
in  your  enterprise;  if  it  doesn’t,  it’s  time  to 
start  shopping  around. 

5.  Minding  Your  Mobile  Devices 

Smartphones  and  tablets  have  a  growing 
presence  in  the  enterprise,  and  malware 
comes  with  them.  Leading  mobile  comput¬ 
ing  players  such  as  Google  Android  and 
Apple  iOS  have  had  their  share  of  security 
issues,  and  we  can  only  expect  this  to  con¬ 
tinue.  System  and  network  administrators 
have  nowhere  near  the  management  capaci¬ 
ties  or  security  features  on  these  mobile 
devices  as  they  do  on  traditional  desktop 
operating  systems. 

Users  can  fall  prey  to  downloading  mali¬ 
cious  code,  phishing  or  social  engineering 
much  more  easily  on  these  mobile  devices 
that  lack  the  protections  provided  by  a  real 


desktop  operating  system’s  security  proto¬ 
cols  and  hardened  browser. 

Apple  could  do  much  more  than  assert 
that  its  software  is  secure  and  claim  that 
it  doesn’t  need  anti-malware.  Google,  too, 
could  offer  more  insight  into  what  it  allows 
in  its  much-less-walled  marketplace.  Truth 
be  told,  both  companies  need  to  strive  for 
improvements  in  security  terms.  For  now, 
third-party  vendor-management  suites 
for  Android  and  iOS  are  providing  greater 
manageability  and  increased  security. 

6.  Good  Password  Policies  or 
Two-Factor  Authentication 

Cracking  passwords  isn’t  rocket  science; 
the  tools  and  knowledge  exist  and  are  freely 
available.  As  a  result,  your  passwords  and 
policies  should  be  strong  enough  to  stymie 
hackers.  Whenever  possible,  your  pass¬ 
word  policies  should  enforce  password  age, 
complexity  and  length  requirements.  This 
is  as  true  for  your  corporate  Web  presence 
as  it  is  for  your  network  or  VPN. 

Two-factor  authentication  is  often  a 
good  choice,  but  it  can  be  prohibitively  com¬ 
plex  and  costly.  For  those  using  traditional 
passwords,  augmenting  the  browser  with 
a  password  manager  can  help  stop  users 
from  plastering  their  cubicles  with  sticky 
notes  displaying  sensitive  passwords.  Sad 
to  say,  I  still  see  this  happen  all  the  time. 
For  those  managing  these  password  night¬ 
mares,  there  are  many  password  manag¬ 
ers  available,  some  native  to  the  browsers 
themselves  and  others  made  by  third  par¬ 
ties.  These  include  RoboForm,  LastPass 
and  the  open-source  KeePass.  No  matter 
where  you  use  passwords,  strong  policies 
are  always  a  smart  idea. 

7.  Frequent,  Required 
User  Security  Training 

While  many  organizations  have  embraced 
end  user  security  training,  it  is  far  from  uni¬ 
versal.  But  users  play  a  strong  role  in  infor¬ 
mation  security— safer  and  more  secure 
environments  are  created  by  well-trained 
users.  End  user  security  training  should 
happen  with  some  frequency,  as  the  threats 
never  stop  evolving.  At  the  very  least,  yearly 
training  should  revisit  issues  and  update 
end  users’  skills  in  responding  to  current 
threats.  A  security- aware  workforce  can 
be  a  huge  asset  in  the  fight  against  today’s 
multifarious  threats. 
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8.  Proper  Policy 
and  Procedures 

Proper  computer  security  policy  will  help 
users  understand  how  they  should  and 
shouldn’t  use  information  resources. 

Users  should  have  to  read,  agree  to  and 
sign  security  policies.  Procedures  should 
be  in  place  so  users  acknowledge  their  role 
in  ensuring  enterprise  security.  Policies  and 
procedures  should  be  reviewed  during  user 
training  so  users  are  aware  of  and  properly 
engage  them. 

Wrapping  these  policies  and  proce¬ 
dures  around  regular  end  user  training  can 
create  a  user  base  that  understands  these 
security  risks  and  how  to  properly  respond 
to  them. 

9.  Minimal  Privileges 

It’s  hard  to  imagine,  due  to  the  risks,  but 
some  organizations  still  run  desktops  with 
administrative  privileges.  To  avoid  constant 
requests  to  install  or  configure  software,  IT 
operations  sometimes  allow  users  to  install 
whatever  they  like. 

End  users  generally  lack  the  expertise 


needed  to  identify  malware,  so  they  often 
fall  prey  to  it.  Additionally,  insider  threats 
are  very  real,  and  by  running  your  desktop 
machines  in  this  manner  you  are  simply 
asking  for  security  nightmares. 

To  reduce  the  potential  damage  that 
Web-based  malware  can  wreak,  users 
should  only  be  given  the  minimum  amount 
of  privileges  they  need  to  do  their  jobs. 

Thankfully,  I’m  seeing  less  and  less 
of  this  problem  in  my  consulting  engage¬ 
ments,  but  I  do  still  run  into  it,  and  I  laugh 
(and  sometimes  cry  a  bit)  when  I  do.  Reduc¬ 
ing  privileges  simply  makes  security  sense. 

10.  Thinking  Defense  in  Depth 

Don’t  be  lulled  into  a  false  sense  of  security 
that  many  security  products  seek  to  give 
you.  No  single  effort,  action,  product  or  ser¬ 
vice  is  a  security  cure-all. 

What  is  required  is  a  comprehensive, 
consistent  effort  to  reduce  your  risk  by 
using  the  aforementioned  methods,  which 
are  just  a  few  of  the  many  good  security 
practices  you  should  adopt.  Security  isn’t  a 
simple  point-and-click  solution,  but  rather 


a  concerted,  ongoing,  multifaceted,  itera¬ 
tive  process. 

While  these  top  10  techniques  don’t 
make  up  the  entire  exhaustive  list  I  could 
provide  on  this  topic,  they  are  a  step  in  the 
right  direction.  Technology  alone  doesn’t 
make  your  organization  more  secure,  but 
having  a  holistic  view  of  security  can  lessen 
your  Web-borne  risks.  With  the  rise  and 
continuing  evolution  of  Web-based  mal¬ 
ware,  cloud  computing  and  mobile  devices, 
there’s  no  reason  to  think  these  risks  are 
going  away  anytime  soon. 

Your  organization  doesn’t  have  to  be  a 
haven  for  cross-site  scripting,  malicious 
Javascript,  plug-in  flaws  or  browser-based 
exploits.  You  can  tame  the  browser  beast, 
or  at  least  temper  it. 

So,  take  a  holistic  defense  posture, 
investigate  your  Web-based  threats  in- 
depth,  and  reap  more  the  reward  of  fewer 
risks.  ■ 


Joseph  Guarino  is  CEO  of  consulting  company 
Evolutionary  IT.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 


ON  THIS  BATTLEFIELD, 

EDUCATION  IS  YOUR  BEST  DEFENSE 

Cyber  attacks  are  being  waged  all  over  the 
world,  creating  an  unprecedented  demand  for 
trained  professionals  to  protect  our  country's 
data  assets  and  develop  cybersecurity  policies. 
Help  meet  the  demand  with  a  bachelor's  or 
master's  degree  in  cybersecurity.  Whether  you 
plan  to  work  for  Cyber  Command  taking  down 
cyber  terrorists  or  for  private  industry  battling 
hackers,  UMUC  can  help  you  make  it  possible. 

•  Designated  as  a  National  Center  of  Academic 
Excellence  in  Information  Assurance  Education 
by  the  NSAand  DHS 

•  BS  and  MS  in  cybersecurity  and  MS  in 
cybersecurity  policy  available 

•  Programs  offered  entirely  online 

•  Interest-free  monthly  payment  plan  available, 
plus  financial  aid  for  those  who  qualify 


umuc.edu/cyberspace 


800-888-UMUC 


UMUC 


University  of  Maryland  University  College 
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Even  well-run  companies 
can  be  political,  inflexible 
and  resistant  to  new  ideas. 
How  do  you  accomplish 
anything  when  you’re  facing 
those  challenges?  Here 
are  9  tactics  for  achieving 
your  security  goals. 


BY  MARY  BRANDEL 


David  cultinane,  CIS©  of 
eBay,  uses  both  visuals 
and  hard  numbers  to  make 
the  case  for  security. 


SECURITY  MAY  BE  A  HOT-BUTTON 

issue  for  business  executives,  but  in  an 
environment  of  ongoing  economic  uncer¬ 
tainty,  support  for  security  initiatives  isn’t 
always  easy  to  come  by. 

Whatever’s  standing  in  the  way— be 
it  politics  or  personal  agendas,  inflexible 
budgets  or  outright  adversaries— security 
professionals  need  to  work  hard  to  loosen 
the  purse  strings  and  get  funding  for  the 


programs  they  believe  in. 

“There’s  no  carte  blanche  for  security,” 
says  Roland  Cloutier,  CSO  at  ADP,  a  $10 
billion  business  solutions  outsourcer. 

“It’s  an  ongoing  chore  to  prioritize  our 
spend,  align  with  business  priorities  and 
promote  our  requirements  so  we  can  get 
that  extra  dollar  to  protect  the  company,” 
he  says. 

Dave  Cullinane,  CISO  at  online  auction 
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giant  eBay,  agrees.  “Where  we’re  spending, 
what  is  the  risk  and  what  is  the  appropriate 
expenditure— all  these  things  put  together 
are  making  it  more  challenging  to  get  things 
approved,”  he  says. 

We  asked  several  CSOs  to  tell  us  their 
best  budget-building  tips,  and  we  distilled 
them  into  nine  tactics  for  getting  your  secu¬ 
rity  initiatives  moving  despite  numerous 
obstacles. 


Do  the  Math 

With  funding  tighter  than  ever,  it’s 
crucial  to  present  hard  numbers 
on  why  your  project  or  initiative  is 
important.  “If  it’s  just  marginally  improv¬ 
ing  the  level  of  security,  that’s  probably  not 
enough,”  says  Richard  Gunthner,  CSO  at 
Mastercard  Worldwide.  “There  needs  to  be 
a  return  on  investment  that  makes  sense.” 

With  so  many  potential  exposures— 


malware,  system  threats,  new  regula¬ 
tions— Cullinane  says  a  big  part  of  his  job  is 
calculating  a  risk  picture  and  quantifying 
it  to  show  the  residual  risk  and  the  ROI  of 
your  intended  fix.  “If  I  can  demonstrate  that 
a  $6  million  investment  will  result  in  a  $300 
million  risk  reduction,  the  CFO  gets  that,” 
Cullinane  says.  “But  you  have  to  prove  the 
initiative  will  result  in  that  reduction,  and 
quantification  is  the  hard  part.” 

Then,  follow  up  with  the  results.  “It’s 
showing  [them],  here’s  where  we  started, 
and  here’s  where  we  came  to  in  a  short 
period  of  time,”  Cullinane  says.  Once  you 
build  credibility,  the  money  will  come  more 
easily.  “I’m  giving  [the  CFO]  back  $5  for 
every  dollar  he  gives  me,  so  he’s  willing  to 
give  me  more— one  of  the  nice  things  about 
security  is  you  can  demonstrate  that,”  Cul¬ 
linane  says. 

One  example  is  a  recent  investment  Cul- 
linane’s  organization  made  in  advanced 
malware-detection  tools.  When  Cullinane 
asked  his  investigative  team  to  conduct  a 
pilot  test  to  detect  any  major  issues  with 
employee  laptops  used  to  work  from  home, 
“we  found  we  had  a  much  more  significant 
malware  problem  than  we  thought  we 
had,  especially  targeting  people  in  HR  and 
finance,”  he  says.  This  could  have  resulted 
in  leaked  information  on  organizational 
changes  or  planned  acquisitions,  but  by 
making  a  small  investment  in  a  malware 
product,  the  exposure  could  be  drastically 
reduced,  he  says.  Cullinane  also  recently 
made  a  large  investment  in  intelligence 
information  to  focus  on  major  sources  of 
fraud.  “It  was  essential  in  arresting  individ¬ 
ual  fraudsters  and  kept  our  fraud  rate  down 
too  percent  more  than  the  investments  we 
made,”  he  says. 

Ideally,  you  should  show'  the  investment 
will  close  a  hole  you  have  in  your  organiza¬ 
tion  that  has  resulted  in  a  security  lapse 
tied  to  a  financial  loss.  If  you  can’t  pin  it  to 
an  internal  event,  show  what  happened  in 
another  company,  preferably  in  the  same 
industry.  “It  shows  it’s  not  pie-in- the-sky  but 
can  and  has  happened,  and  therefore  there’s 
a  risk  that  needs  to  be  remedied,”  Gunthner 
says.  “That  makes  it  much  easier  to  sell.” 

Present  your  request  for  funding  in 
what  Cloutier  calls  “a  risk-informed  man¬ 
ner.”  “Everything  can’t  be  important,  so  we 
have  to  show  what’s  important  and  why,” 
he  says.  Cloutier  works  closely  with  the 
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financial  organization  to  create  models  of 
risk  impact— how  it  affects  investments, 
revenues  or  business-unit  financial  mod¬ 
els— and  probability,  based  on  compari¬ 
sons  with  others  in  the  industry.  “We  use  a 
lot  of  financials  because  we’re  a  financially 
focused  company,”  he  says. 

Show  the  Business  Link 

Even  if  you  can’t  get  hard  numbers,  be 
sure  to  request  funding  only  for  ini¬ 
tiatives  that  align  with  current  busi¬ 
ness  concerns,  Cloutier  says.  For  instance, 
if  the  current  business  concern  is  top-line 
revenue,  how  can  you  help  do  that  faster? 
If  it’s  closing  the  sales  cycle  faster,  what 
program  can  you  initiate  to  speed  that  up? 
If  the  concern  is  expense  reduction,  what 
can  security  do  to  reduce  fraud  and  waste? 
“If  you  can  articulate  that  and  show  a  direct 
link— not  just  a  speech  that  points  to  some¬ 
thing,  but  actually  show  a  link— that  gets 
corporate  leaders  behind  your  efforts  to 
support  them  in  reaching  their  goals.” 

Watch  Your  Language 

You  won’t  get  far  in  your  spending 
requests  if  you  don’t  tune  your  mes¬ 
sage  to  the  audience,  whether  you’re 
presenting  your  case  to  the  executive  board, 
the  IT  group  or  the  mailroom  staff. 

“You  should  constantly  be  shifting  gears 
in  the  way  you  talk  to  various  prospec¬ 
tive  customers,”  says  Jason  Clark,  chief 
security  and  strategy  officer  at  Websense, 
a  security  solutions  provider.  “IT  cares 
about  operational  details,  but  that’s  not  the 
same  conversation  you  should  have  in  the 
boardroom.”  Alan  Nutes,  senior  manager 
of  security  and  incident  management  at 
Newell  Rubbermaid,  echoes  this  advice.  “If 
you’re  talking  to  senior  management,  use 
C-level  words,”  he  says.  “A  security  profes¬ 
sional  might  say  ‘loss  prevention,’  where  a 
C-level  [executive]  will  understand  ‘asset 
management.’” 

In  an  executive-level  pitch  for  more 


firewalls,  you  might  use  the  metaphor  of 
needing  brakes  on  a  car,  not  for  stopping 
but  to  go  faster  safely,  Clark  suggests.  “Or 
if  executives  want  to  bring  iPads  in,  you 
don’t  want  to  be  the  guy  saying,  ‘No  iPads’; 
it’s  ‘Yes,  iPads,  but  here’s  an  extra  piece  of 
software  on  the  network  to  secure  it.” 

The  fact  is,  most  business  executives 
only  become  concerned  about  security  vio¬ 
lations  when  it’s  clear  how  the  exposure 
will  affect  the  top  or  bottom  lines,  and  it’s 
your  job  to  make  that  connection  for  them. 
When  Cloutier’s  team  recently  conducted 
a  review  of  business-process  risk,  for 
instance,  it  discovered  its  data-monitoring 
controls  were  no  longer  optimal  for  one 
unit  because  of  a  change  in  the  way  the  unit 
was  transferring  data.  To  make  the  case  for 
the  technology  upgrade  that  would  fix  the 
issue,  the  team  made  the  link  between  the 
security  weakness  and  the  unit’s  ability  to 
get  certifications  that  would  allow  it  to  win 
more  contracts. 

“We  put  it  in  terms  the  unit  would 
understand,”  Cloutier  says.  “They  weren’t 
so  concerned  about  the  actual  security  vio¬ 
lations,  but  how  it  would  impact  their  abil¬ 
ity  to  generate  new  revenue  because  certain 
certifications  would  not  be  available  to 
them  otherwise.”  As  a  result,  “they  became 
our  number-one  business  supporter  in 
deploying  new  technology  to  remediate  it,” 
he  says. 

Make  It  Personal 

If  you  want  to  get  someone’s  atten¬ 
tion,  lay  an  issue  right  in  their  front 
yard.  Once  people  are  made  to  feel 
accountable,  they  will  take  interest  bl¬ 
and  hopefully  become  advocates  for— your 
proposal.  For  instance,  Cloutier  makes  a 
habit  of  identifying  which  business  leaders 
“own”  which  risks  and  then  publicizes  these 
assignments.  “That’s  powerful— people 
don’t  want  to  be  seen  as  responsible  for  risk, 
so  they  become  supporters  in  helping  to 
mitigate  it,”  Cloutier  says.  “It’s  not  about  fear 


“If  you’re  talking  to  senior  manage¬ 
ment,  use  C-level  words.”  -Alan  Nutes, 

senior  manager  of  security  and  incident  man¬ 
agement  at  Newell  Rubbermaid 


and  uncertainty,  it’s  about  feeling  account¬ 
able  for  a  problem  in  their  area  and  deciding 
they’re  going  to  help  resolve  it.”  The  tech¬ 
nique  encourages  a  partnership  approach, 
which  drives  the  needed  resources. 

Clark  similarly  believes  in  the  power  of 
publicizing  ownership.  He  uses  a  device 
that  he  created  earlier  in  his  career,  which 
he  calls  the  “Good,  Bad  and  Ugly”  chart. 
The  diagram  depicts  where  each  division 
stands  in  its  progress  on  current  security 
initiatives.  At  one  company,  Clark  shared 
this  chart  with  the  CEO  and  requested  that 
the  CEO  voice  his  support  for  the  initiative 
in  his  quarterly  address.  Not  only  did  the 
CEO  promote  the  project,  but  he  also  called 
out  the  president  of  one  division  that  had 
fallen  far  behind  in  achieving  project  mile¬ 
stones,  saying  that  failing  to  catch  up  would 
result  in  termination.  “Suddenly,  everyone 
was  coming  to  me,  asking  what  they  needed 
to  do  to  catch  up,”  Clark  says. 

In  large  companies,  it  can  take  some  edu¬ 
cating  to  get  certain  divisions  to  feel  owner¬ 
ship.  For  instance,  at  a  global  manufacturer 
that  Clark  worked  for,  the  oil  refinery  divi¬ 
sion  had  lots  of  interest  in  security,  but  a 
manufacturing  division  was  more  tuned  in 
to  keeping  its  factories  operational. 

“We  had  to  show  them  that  regardless 
of  what  they’re  protecting,  they’re  part 
of  the  overall  corporate  risk,”  Clark  says. 
“You’re  only  as  good  as  your  weakest  link. 
That  is  a  conversation  I’ve  had  multiple 
times  because  different  areas  didn’t  want 
to  spend  the  funds.” 

5  Preview  Your  Plans 

You  usually  only  get  one  shot  when 
you  request  funding,  so  Gunth- 
ner  suggests  practicing  your  pitch 
before  showtime.  “When  I  set  out  to  sell  a 
newr  initiative.  I’m  looking  at  three  things: 
Does  it  make  financial  sense,  what  is  the 
business  value,  and  does  it  support  the 
business  strategy,”  he  says.  “So  after  doing 
all  my  homework,  before  officially  present¬ 
ing  it,  I  present  it  informally  to  various  key- 
stakeholders  so  I’m  not  taking  something 
out  of  the  box  they’ve  never  seen  or  heard 
ofbefore.” 

By  the  time  you  make  the  formal  pre¬ 
sentation,  you  have  a  number  of  people  in 
your  corner  who  understand  the  value  of 
what  you’re  trying  to  do,  he  says.  And  if 
there’s  a  lot  of  pushback,  you  need  to  evalu- 
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“If  you  have  the  ability  to  pick  the 
right  time  to  present  your  project, 
do  so.  This  will  increase  your 
chances  of  getting  a  ‘yes.’”  -Richard 
Gunthner,  CSO  at  Mastercard  Worldwide 


ate  whether  it’s  time  to  move  forward  or  go 
back  to  the  drawing  board.  “You  typically 
only  have  one  chance  of  getting  a  yes,  and 
if  you  get  a  no,  you  can’t  go  back  for  several 
years,”  Gunthner  says. 

The  stakeholders  you  gather  don’t  need 
to  be  part  of  the  ultimate  group  making  the 
decision,  he  says.  They  just  need  to  be  people 
in  divisions  who  may  be  affected,  for  exam¬ 
ple,  facilities,  a  particular  business  unit, 
finance,  legal  or  HR.  “I  try  to  rally  as  many 
of  those  people  in  my  comer  as  I  can  so  that 
when  the  day  comes— whether  they’re  in  the 
room  or  not  as  part  of  the  official  decision 
making— I  can  say  I  consulted  with  XYZ  and 
they’re  in  support  of  it,”  he  says. 

Even  if  it  takes  weeks  or  months,  Gunth¬ 
ner  says  he  doesn’t  move  forward  with  his 
funding  requests  until  he  gains  consensus. 
“All  it  takes  is  one  stakeholder  to  say,  ‘I  don’t 
agree,’  and  the  thing  is  dead  in  the  water,” 
he  says.  “Let  them  shoot  holes  in  it— you 
would  rather  know  beforehand  versus 
when  you  get  turned  down  altogether.” 

Play  Politics 

It’s  also  a  good  move  to  surround 
yourself  with  people  who  hold 
power  in  the  organization,  such  as 
top  money-making  business  areas,  Clark 
says.  “If  you  get  them  bought  in,  everyone 
else  will  say,  ‘If  it’s  good  enough  for  them, 
it’s  good  enough  for  us,”’  he  says.  Does 
that  sound  cynical  to  security  do-gooders? 
“That’s  how  the  business  world  works,” 
says  Clark. 

Additionally,  when  communicating 
to  the  company  about  the  security  orga¬ 
nization’s  activities,  it’s  not  a  bad  idea  to 
piggyback  newsletters  or  articles  onto 
communiques  that  a  high-level  execu¬ 
tive  is  already  sending  out.  At  a  previous 
employer,  Clark  contributed  a  monthly  col¬ 
umn  to  a  weekly  newsletter  that  the  num¬ 
ber  three  executive  in  the  company  sent  out. 


At  another  company,  he  paired  up  with  the 
CIO’s  ongoing  communications. 

“I  ask  the  highest-level  person  I  have  a 
relationship  with  to  send  it  out,”  he  says. 
These  missives  are  also  a  good  way  to  build 
a  campaign  for  an  initiative  for  which  you’re 
trying  to  gain  support. 

Read  Their  Minds 

It  doesn’t  take  a  psychic  to  forecast 
the  concerns  and  questions  certain 
stakeholders  will  have— all  it  takes 
is  a  quick  study  in  human  behavior.  “Cer¬ 
tain  individuals  have  hot-button  issues  they 
particularly  want  to  dig  into,”  Gunthner 
says.  For  instance,  HR  may  have  a  particu¬ 
lar  sensitivity  to  certain  employee  relations 
issues,  while  facilities  may  be  concerned 
about  misplaced  assets.  “To  know  what 
those  are  and  address  them  in  advance 
gives  you  a  much  better  opportunity  to  get 
your  proposal  through,”  he  says. 

Watch  Your  Timing 

Timing  is  not  always  something 
you  can  control,  but  it’s  important 
to  keep  in  mind  that  it’s  “key,  key, 
key,”  Gunthner  says.  Even  great  projects 
that  clearly  support  business  strategy  and 
promise  a  great  return  can  get  turned  down 
if  the  decision  maker  is,  for  whatever  rea¬ 
son,  having  a  bad  day.  “You  have  one  oppor¬ 
tunity  to  get  a  ‘yes,’  so  timing  is  crucial,”  he 
says.  “If  you  have  the  ability  to  pick  the  right 
time  to  present  your  project,  do  so.  This  will 
increase  your  chances  of  getting  a  ‘yes.’” 

Show,  Don’t  Tell 

When  presenting  to  the  C-suite, 
visuals  can  express  your  ideas  more 
clearly  and  quickly  than  words. 
When  Clark  wanted  to  convey  risk  exposure 
to  executives  at  a  former  employer,  he  cre¬ 
ated  a  mash-up  of  the  company’s  Web  secu¬ 
rity  tools  and  a  spinning  globe.  He  showed 


a  rain  cloud  advancing  over  certain  cities  to 
show  where  the  risk  was  highest.  “The  CEO 
asked  if  I  could  guarantee  we  wouldn’t  get 
hacked,  and  I  said,  ‘Can  you  make  it  stop 
raining?’  No,  but  you  can  prepare  for  the 
storm  to  reduce  your  risk,”  Clark  says. 

At  eBay,  Cullinane  has  developed  a 
dynamic  “risk  curve”  visual  that  illustrates 
the  relationship  between  spending  and  risk 
levels.  “It  tends  to  get  pushed  up  to  the  right 
as  new  exposures  are  found  and  moves 
down  when  we  take  actions  to  reduce  expo¬ 
sure,”  he  says. 

Clark  also  believes  in  the  power  of 
storytelling  as  a  vibrant  way  to  enliven 
security  exposures  and  successes.  He  has 
gone  so  far  as  to  hire  a  security  marketing 
analyst,  who  spends  one-third  of  his  time 
storytelling,  whether  it’s  to  secure  funding 
or  report  on  ROI.  This  person  is  a  creative 
communicator  and  natural  salesperson 
who,  for  instance,  tells  executives  what  they 
got  for  their  money,  beyond  standard  ROI, 
and  puts  relevant  context  around  news  sto¬ 
ries  of  security  mishaps  and  explains  what 
could  reduce  that  kind  of  risk. 

Beyond  visuals  and  storytelling,  Clout¬ 
ier  has  occasionally  turned  to  the  power  of 
the  hack  to  illustrate  a  technology-related 
risk.  “Especially  on  the  cyber  side,  we  show 
them  how  easy  it  would  be  to  get  hacked,” 
Cloutier  says.  “It’s  hard  to  argue.” 

Similarly,  Clark  has  set  up  hacking 
challenges  that  determine  whether  he  gets 
funding.  At  one  company  with  a  large  num¬ 
ber  of  external-facing  websites,  the  devel¬ 
opers  firmly  believed  they  had  battened 
down  all  the  hatches  and  were  balking  at 
putting  up  the  money  for  a  particular  secu¬ 
rity  initiative.  Clark  issued  a  challenge:  If 
he  could  hack  into  five  of  the  websites,  they 
would  allocate  the  funds.  They  agreed,  and 
he  was  successful.  “It  was  a  gamble,  but  I 
was  pretty  confident,”  he  says.  Doing  some¬ 
thing  attention-grabbing  is  sometimes  key, 
he  says.  “To  be  a  change  agent,  you  have  to 
be  creative  and  convey  things  in  interesting 
ways  they  haven’t  heard  of  before,”  Clark 
says.  “Often,  people  have  their  objections 
already  lined  up,  so  you  have  to  think  two 
steps  ahead  and  come  at  it  a  completely  dif¬ 
ferent  way.”  ■ 


Mary  Brandel  is  a  freelance  writer  based  in 
Massachusetts.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 
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More  analysis  from  the  Global  Information  Security 
Survey:  Dangerous  prevention  practices,  and  the 
question  of  cost-cutting  By  George  V.  Hulme 


T’S  NO  BIG  secret:  Attacks  are  launched  over 
the  Web,  attackers  will  craft  custom  malware 
to  slither  past  defenses,  and  any  business 
can  be  compromised  on  any  given  day.  That’s 
where  information  security  stands  today. 

Clearly,  enterprises  are  aware  of  this  as 
investment  in  many  defensive 
technologies  increased  signifi¬ 
cantly  year  over  year,  according 
to  the  ninth  annual  Global  Information 
Security  Survey  CSO  conducted  along 
with  sister  publication  CIO  and  Price- 
waterhouseCoopers,  which  questioned 
more  than  9,600  business  and  technol¬ 
ogy  executives  from  around  the  world. 

For  example,  75  percent  of  those 
surveyed  now  use  Web  content  filter¬ 
ing,  up  from  65  percent  last  year;  secure 
browser  use  is  up  to  72  percent  from  62 
percent;  and  Web  services  security  investments 
have  risen  from  55  percent  to  62  percent.  Results 
are  similar  for  intrusion- detection  and  -prevention 


tools,  vulnerability  scanners,  and  security  event 
correlation  software. 

Enterprises  are  spending  money  on  security 
technologies.  That’s  certainly  good  news,  especially 
if  you’re  a  security  vendor.  However,  as  we  noted  in 
last  month’s  cover  story,  “Are  You  An  IT  Security 
Leader— Really?”  ( http://www . 
csoonline.  com, /article/ '690854), 
organizations  are  not  invest¬ 
ing  in  the  processes  neces¬ 
sary  to  make  certain  those 
technologies  are  running  in 
concert.  For  instance,  only  43 
percent  of  respondents  have 
established  a  centralized 
security-information  man¬ 
agement  process.  And  only 
8  percent  of  those  surveyed 
said  increasing  the  focus  on 
data  protection  was  a  top  priority 

That’s  a  dangerous  and  costly  bifurcation. 
Without  the  right  business  processes  around  those 
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Access  control 
isn't  one  size  fits 
all  either. 
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technologies,  enterprises  are  lucky  to  gain  much  of 
their  intended  value. 

Robbie  Higgins,  VP  of  security  services  at  IT 
solution  provider  GlassHouse  Technologies,  isn’t 
surprised.  “One  of  the  challenges  a  lot  of  security 
groups  face  is,  still,  justifying  what  they’re  doing. 
The  problem  is,  a  lot  of  the  measures  in  security  are 
qualitative  more  than  they  are  quantitative,  because 
there  is  that  element  of  risk  and  probability,”  he  says. 
“It’s  not  that  they  don’t  see  some  of  the  strategic  side 
of  things  they  need  to  do.  They  do.  But  they’re  still 
struggling  getting  to  the  blocking  and  tackling— the 
very  basics  of  what  needs  to  be  done  and  done  right. 
Today,  that’s  still  their  biggest  priority.” 

“There  are  certain  areas  where  there  is  great 
room  for  improvement,”  says  Scott  Crawford,  man¬ 
aging  research  director  at  research  firm  Enterprise 
Management  Associates.  “Many  companies  make 
investments  in  lots  of  technologies,  but  they  fail  to 
cover  the  basics,  such  as  reading  logs  for  potential 
breaches,”  he  says. 

The  “2011  Verizon  Data  Breach  Investigations 
Report”  backs  what  these  experts  are  saying.  That 
report  shows  that  organizations  often  don’t  know  for 
weeks,  months  or  years  that  they’ve  been  breached. 
That  study  found  that  86  percent  of  breaches  were 
discovered  when  companies  were  notified  by  an 
external  party,  only  6  percent  of  breaches  were 
uncovered  through  internal  monitoring,  such  as 
reading  security  logs.  “Clearly,  businesses  need  to 
make  better  use  of  the  data  on  their  own  networks,” 
says  Crawford. 

Brian  Honan,  founder  of  information  security 
consultancy  BH  Consulting  and  founder  and  leader 
of  Ireland’s  first  Computer  Emergency  Response 
Team,  says  another  area  where  many  organiza¬ 
tions  have  a  process  gap  is  incident  response. 
“You’d  think  with  all  of  the  talk  around  advanced 
persistent  threats,  and  the  string  of  high-profile 
breaches  in  the  past  year,  that  organizations  would 
be  preparing  their  ability  to  identify  and  respond  to 
breaches  better,  but  they’re  not,”  says  Honan.  “Most 
organizations  do  not  have  comprehensive  incident 
response  plans  in  place,”  he  says. 

“To  this  day,  we  are  surprised  when  we  go  and 
meet  with  new  clients  and  they  can  speak  very  intel¬ 
ligently  about  what  they  want  to  do  from  a  security 
perspective,  and  what  their  vision  is,  and  how  they 
want  to  get  there,”  says  Higgins.  “But  when  you  take 
a  look  at  what  they’re  actually  doing,  there’s  a  big 
gap  between  where  they  are  and  where  they  want 
to  be.  In  some  cases,  it’s  a  canyon.”  ■ 


George  V  Hulme  is  a  freelance  writer  based  in  Min¬ 
neapolis.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


More  businesses  are  pulling  back,  or  putting 
off,  spending  on  security.  Many  experts  say 
now  may  not  be  the  best  time  to  scrimp. 

It’s  been  a  tumultuous  decade  for  IT  spending.  In  the  recession 
that  started  in  late  2000,  many  enterprises  slashed  IT  invest¬ 
ments  wherever  they  could,  except  for  IT  security,  which  saw  many 
businesses  increase  investments.  Then,  following  the  financial 
and  mortgage  meltdown,  after  a  few  years  of  growth,  IT  budgets 
remained  flat,  while  investments  in  security  and  regulatory  compli¬ 
ance  initiatives  remained  strong. 

Today,  the  relative  strength  of  IT  security  spending  compared  to 
other  aspects  of  IT  is  fading.  According  to  the  responses  to  this  year's 

Global  Information  Security 
Survey,  conducted  by  CSO  in 
partnership  with  its  sister 
publication  CIO  and  with  Price- 
waterhouseCoopers,  more 
enterprises  are  deferring  IT 
security  spending  and  cutting 
costs  where  possible. 

In  fact,  nearly  half  of 
all  of  those  surveyed  said 
they  trimmed  security  costs 
last  year.  A  slim  majority,  51 
percent,  reported  that  they 
planned  to  increase  security  spending  next  year. 

Additionally,  capital  expenditure  deferrals  increased  by  nearly  19 
percent  since  2009,  as  51  percent  of  organizations  said  they  are  push¬ 
ing  expenses  into  the  future,  compared  to  just  43  percent  who  said 
the  same  in  the  previous  year’s  survey.  For  operational  expenditures, 
the  number  of  enterprises  who  deferred  is  up  from  40  percent  in 
2009  to  48  percent  today. 

Douglas  Davidson,  president  and  CEO  of  security  services 
provider  Jacadis,  says  that  they’re  not  seeing  IT  security  spending 
drop  in  their  business.  They  are,  however,  seeing  many  more  delayed 
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projects.  “Businesses  have  clearly  lengthened  their  decision-making 
processes,”  says  Davidson.  “In  the  past  you  would  have  a  security 
event,  such  as  a  virus  outbreak  or  denial-of-service  attack,  and  the 
executives  would  be  concerned  and  the  budget  would  be  allocated,” 
he  says.  “Those  days  are  gone.” 

Davidson  shared  a  recent  anecdote  about  a  customer  that  needed 
a  project  completed  and  agreed  to  pay  100  percent  of  the  cost  up 
front.  Shortly  thereafter,  the  client  came  back  to  renegotiate  the  deal 
to  be  four  payments  over  a  two-month  period  so  they  could  get  their 
final  approval.  “This  was  not  a  big  project,  and  they  are  a  publicly 
traded  company,”  says  Davidson. 

In  addition  to  delaying  security  initiatives,  enterprises  may 
also  be  more  carefully  picking  their  spots.  “In  a  down  economy,  you 
probably  aren’t  spending  time  revamping  your  security  strategy,” 
says  Andy  Ellis,  the  CSO  at  Akamai  Technologies.  “Hopefully,  they’re 
executing  on  their  existing  strategy  in  the  most  cost-effective  way 
possible,"  he  says.  “Rather  than  spending  more  money,  that's  my 
best  guess  as  to  what  a  lot  of  these  respondents  are  doing.” 

Paradoxically,  uncertain  economic  times  may  not  be  the  wisest 
time  to  pull  back  on  security  spending  because  the  threat  landscape 
may  grow  worse.  And  we’ve  seen  a  number  of  insider  threats  in  recent 
years.  Back  in  2008,  in  our  story  “Tough  Economy  Heightens  Insider 
Threat”  ( http://www.csoonline.com/article/454890 ),  we  see  that 
insiders  with  privileged  access  can  cause  serious  damage,  such  as  the 
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disgruntled  administrator  for  the 
city  of  San  Francisco  who  blocked 
access  to  a  central  network  by  reset¬ 
ting  admin  passwords  and  refusing 
to  share  those  passwords  with  city 
officials.  Then  there  was  the  systems 
administrator  at  Medco  Health 
Solutions  who  planted  a  logic  bomb 
that  could  have  destroyed  data  on 
70  servers. 

And,  more  recently,  there’s  been 
the  sudden  burst  of  hacktivism- 
attacks  launched  to  make  a  political 
point-such  as  the  operations  the  hacker  collective  Anonymous 
carried  out  against  PayPal,  Visa,  HBGary,  and  Sony.  (For  more  on 
Anonymous,  see  http://www.csoonline.com/article/688774.) 

“There  is  certainly  a  correlation  between  times  of  high  unemploy¬ 
ment  and  fragile  relations  with  employees,  and  an  increase  in  people 
doing  bad  things,”  says  Robbie  Higgins,  VP  of  security  services  at  IT 
solutions  provider  GlassHouse  Technologies.  “But  does  that  make 
companies  spend  any  more  money  on  information  security?  Not 
that  I’ve  seen  so  far.  It  makes  them  aware  of  it.  It’s  not  necessarily  a 
catalyst  for  more  investment,”  he  says. 

-G.V.H. 
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5  MORE  DIRTY  TRICKS: 

SOCIAL  ENGINEERS’  LATEST 

PICKUP  LINES 


Putting  a  twist  on  tech  support  and  playing  the  odds  with  large 
numbers  of  desperate  job  seekers-social  engineers  are  getting 
specific  in  their  efforts  to  manipulate  By  Joan  Goodchild 


You  may  know  by  now  that 
when  a  friend  sends  a 
Facebook  message  saying 
they’ve  been  mugged  in 
London  and  desperately 
need  cash,  it’s  a  scam.  But 
social  engineers,  the  criminals  that  pull  off 
these  kinds  of  ploys,  are  one  step  ahead. 

Social  engineering  attacks  are  getting 
more  specific,  says  Chris  Hadnagy,  author 
of  Social  Engineering:  The  Art  of  Human 
Hacking.  “Targeted  attacks  are  earning 
social  engineers  better  results.” 

In  other  words,  they  do  more  work  to 
find  personal  information,  and  while  this 
strategy  may  take  longer,  it  often  provides 
a  bigger  payoff. 

“Attacks  now  are  not  just  a  broad  spam 
effort,  sending  out  a  million  emails  with 
an  offer  for  Viagra,”  says  Hadnagy.  “These 
are  now  individual  attacks  where  they  are 
going  after  people  one  by  one.” 

Here  are  five  new  scams  that  are  much 
more  individualized. 

This  Is  Microsoft  Support. 

We  Want  to  Help. 

Hadnagy  says  a  new  kind  of  attack  is  hit¬ 
ting  many  people  lately.  It  starts  with  a 
phone  call  from  someone  claiming  to  be 
from  Microsoft  support,  calling  because  an 
abnormal  number  of  errors  have  been  origi¬ 
nating  from  your  computer. 


“The  person  on  the  other  end  says  they 
want  to  help  fix  it  because  there  is  a  bug 
and  they  have  been  m  aking  calls  to  licensed 
Windows  users,”  explains  Hadnagy.  “The 
pretext  makes  sense:  You  are  a  licensed 
Windows  user,  you  own  a  machine  with 
Windows  on  it,  and  she  wants  to  prove  to 
you  [that  your  computer  has  a  bug].” 

The  caller  tells  the  victim  to  go  to  the 
event  log  and  walks  them  through  the  steps 
to  get  to  the  system  log. 

“Every  Windows  user  will  have  tons 
of  errors  in  the  event  log,  simply  because 


little  things  happen— a  service  crashes, 
something  doesn’t  start.  There  are  always 
errors,”  says  Hadnagy.  “But  when  an  inex¬ 
perienced  user  opens  it  up  and  sees  all  these 
critical  errors,  it  looks  scary.” 

At  that  point,  the  victim  is  eager  to  do 
whatever  the  alleged  support  person  asks. 
The  social  engineer  advises  them  to  go  to 
TeamViewer.com,  a  remote-access  service 
that  will  give  them  control  of  the  machine. 

Once  the  social  engineer  has  access  to 
the  machine  through  Team  Viewer,  they 
then  install  a  rootkit  or  other  malware  that 
gives  them  constant  access,  says  Hadnagy. 

Donate  to  Hurricane  Relief! 

Charitable  contribution  scams  have  been 
a  problem  for  years.  After  any  high-profile 
incident,  such  as  the  earthquake  and  tsu¬ 
nami  in  Japan,  criminals  quickly  launch 
fake  contribution  sites.  The  best  way  to 
avoid  this  if  you  want  to  donate  is  to  go  to 
a  reputable  organization,  such  as  the  Red 
Cross,  and  initiate  the  contact  yourself. 

However,  Hadnagy  says  a  particularly 
vile  social  engineering  ploy  has  cropped  up 
recently;  it  specifically  targets  people  who 
may  have  lost  loved  ones  in  a  disaster.  Had¬ 
nagy  says  that  about  8  to  10  hours  after  a 
disaster  occurs,  websites  pop  up  promising 
to  help  find  those  who  may  have  been  lost. 
They  claim  to  have  access  to  government 
databases  and  information  about  the  rescue 
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If  the  social  engineer  knows  enough  about 
what  you’re  interested  in,  all  they  nave  to  do  is 
tweet  your  handle  and  some  information  that 
makes  the  tweet  seem  legitimate. 


efforts.  They  typically  don’t  ask  for  finan¬ 
cial  information,  but  do  require  names, 
addresses  and  other  contact  information, 
such  as  email  and  phone  numbers. 

“While  you’re  waiting  to  hear  back 
about  the  person  you  are  seeking  informa¬ 
tion  on,  you  get  a  call  from  a  charity,”  says 
Hadnagy.  “The  person  from  the  charity 
will  often...claim  to  be  collecting  contribu¬ 
tions  because  they  feel  passionate  about  the 
cause  as  they  have  lost  a  family  member  in 
a  disaster.  Secretly,  they  know  the  victim 
they’ve  contacted  has  lost  someone  too.” 

Touched  by  the  caller,  the  victim  then 
offers  up  a  credit  card  number  to  donate 
to  the  alleged  charity.  “Now  they  have  your 
address,  your  name,  relative’s  name  from 
the  website  and  also  a  credit  card.  It’s  basi¬ 
cally  every  piece  they  need  to  commit  iden¬ 
tity  theft,”  says  Hadnagy. 

Hadnagy  has  also  heard  that  some  crimi¬ 
nals  go  on  to  launch  secondary  attacks  to  get 
even  more  sensitive  information.  For  exam¬ 
ple,  they  call  posing  as  a  bank  representative 
verifying  that  the  charity  donation  is  legiti¬ 
mate  and  asking  for  the  victim’s  social  secu¬ 
rity  number  “for  verification  purposes.” 

About  Your  Job  Application... 

Both  job  seekers  and  headhunters  are  being 
hit  by  social  engineers  who  know  about 
their  job  or  employee  hunt. 

“In  both  directions,  this  is  a  dangerous 
one,”  says  Hadnagy.  “Whether  you  are  the 
person  looking  for  work  or  the  company 
posting  new  jobs,  both  parties  are  saying, 
‘I’m  willing  to  accept  attachments  and 
information  from  strangers.’” 

According  to  a  warning  from  the  FBI, 
more  than  $150,000  was  stolen  from  a  U.S. 
business  via  unauthorized  wire  transfer  as 
a  result  of  malware  the  business  received  in 
an  email  sent  in  response  to  a  job  posting. 

“The  malware...allowed  the  attacker  to 
obtain  the  online  banking  credentials  of 
the  person  who  was  authorized  to  conduct 
financial  transactions  within  the  company,” 
the  FBI  alert  reads.  “The  malicious  actor 
changed  the  account  settings  to  allow  the 
sending  of  wire  transfers....  This  malware 
was  connected  to  the  ZeuS/Zbot  Trojan, 
which  is  commonly  used  by  cyber  crimi¬ 
nals  to  defraud  U.S.  businesses.” 

Malicious  attachments  have  become 
such  a  big  problem  that  many  organizations 
now  require  applicants  to  fill  out  an  online 


form,  rather  than  accepting  resumes  and 
cover  letters  in  attachments,  says  Hadnagy. 
And  for  job  seekers,  the  threat  of  receiving 
a  malicious  message  from  a  social  engineer 
is  high  too,  he  says.  Many  people  now  use 
Linkedln  to  broadcast  that  they  are  looking 
for  work,  a  quick  way  for  a  social  engineer 
to  find  a  potential  target. 

“This  is  one  of  those  cases  of  ‘What 
do  you  do?”’  he  says.  “People  need  to  look 
for  jobs  and  companies  need  to  hire.”  But 
“more  critical  thinking  is  required.” 

@Twitterguy,  Your  Thoughts 
on  Obama’s  #Cybersecurity 
Talk?  http://shar.es/HNGAt 

Social  engineers  are  taking  the  time  to 
observe  what  people  tweet  about  and  are 
using  that  information  to  launch  attacks 
that  seem  more  believable.  One  way  to  do 
this  is  through  popular  hashtags,  accord¬ 
ing  to  security  firm  Sophos.  In  fact,  earlier 
this  month,  during  the  UK  debut  of  the  new 
season  of  Glee,  social  engineers  hijacked 
#gleeonsky  for  several  hours.  British  Sky 
Broadcasting  paid  to  use  the  hashtag  to 
promote  the  new  season,  but  spammers  got 
ahold  of  it  quickly  and  began  adding  mali¬ 
cious  links  to  tweets  with  the  popular  term. 

“Of  course,  the  spammers  can  choose  to 
redirect  you  to  any  Web  page  they  like  once 
you  have  clicked  on  the  link,”  says  Graham 
Cluley,  a  senior  technology  consultant  at 
Sophos  who  writes  for  their  Naked  Security 
blog.  “It  could  be  a  phishing  site  designed  to 
steal  your  Twitter  credentials,  it  could  be  a 
fake  pharmacy,  it  could  be  a  porn  site  or  it 
could  be  a  website  harboring  malware.” 

Twitter  mentions  are  another  way  to  get 
someone’s  attention.  If  the  social  engineer 
knows  enough  about  what  you’re  interested 
in,  all  they  have  to  do  is  tweet  your  handle 
and  some  information  that  makes  the  tweet 
seem  legitimate.  Say  you’re  a  political  wonk 
who  is  tweeting  quite  a  bit  about  the  GOP 
primary  race.  A  tweet  that  mentions  you 
and  points  you  to  a  link  asking  you  what 


you  think  about  Mitt  Romney’s  latest  debate 
statements  can  appear  perfectly  legitimate. 

“I  would  expect  we  will  see  even  more 
attacks  like  this  in  social  media  because  of 
the  way  people  click  through  these  links,” 
says  Hadnagy. 

Get  More  Twitter  Followers! 

Sophos  has  also  warned  of  services  claim¬ 
ing  to  get  a  Twitter  user  more  followers. 
According  to  Cluley,  you’ll  see  tweets 
all  over  Twitter  that  say  something  like: 
“GET  MORE  FOLLOWERS  MY  BEST 
FRIENDS?  I  WILL  FOLLOW  YOU  BACK 
IF  YOU  FOLLOW  ME- [LINK].” 

Clicking  on  the  link  takes  the  user  to 
a  service  that  promises  to  get  them  many 
more  new  followers.  Cluley  created  a  test 
account  to  try  one  out  and  see  what  would 
happen.  “The  pages  ask  you  to  enter  your 
Twitter  username  and  password,”  he 
reported  in  a  blog  post  on  the  experiment. 
“That  should  instantly  have  you  running 
for  the  hills— why  should  a  third-party 
Web  page  require  your  Twitter  creden¬ 
tials?”  Cluley  also  notes  that  the  service,  in 
the  bottom  right-hand  comer,  admits  that 
it  is  not  endorsed  by  or  affiliated  with  Twit¬ 
ter,  and  in  order  to  use  the  service,  you  are 
required  to  grant  an  application  access  to 
your  account.  At  that  point,  all  assurances 
of  security  and  ethical  use  are  worthless, 
he  says.  Twitter  itself  even  warns  about 
these  services  on  its  help  center  informa¬ 
tion  page. 

“When  you  give  out  your  username  and 
password  to  another  site  or  application,  you 
are  giving  control  of  your  account  to  some¬ 
one  else,”  the  Twitter  rules  explain.  “They 
may  then  post  duplicated,  spam,  or  mali¬ 
cious  updates  and  links,  send  unwanted 
direct  messages,  aggressively  follow,  or 
violate  other  Twitter  rules  with  your 
account.”  ■ 


Contact  Senior  Editor  Joan  Goodchild  at 
J  Goodchild@cxo.com. 
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[  INDUSTRY  VIEW] 

By  Michael  Santarcangelo 


Signs  of  Engagement 


His  clenched  fist  struck  an 
angry  blow  on  the  mahog¬ 
any  table,  scattering  the 
papers  in  front  of  him  and 
causing  the  seven  people 
at  the  meeting  to  take  a  collective  roll  back 
in  their  chairs.  Red  and  quivering,  his  face 
was  the  image  of  frustration  and  rage. 

For  an  awkward  moment  of  complete 
silence,  no  one  made  eye  contact. 

“This  is  ridiculous  and  completely  unac¬ 
ceptable,”  he  stated  in  a  low  voice  as  he 
shoved  his  chair  backward— nearly  knock¬ 
ing  it  over— and  stormed  from  the  room. 

As  the  lone  remaining  representative 
from  the  security  team,  I  let  out  a  loud,  long 
sigh,  looked  around,  and  apologized. 

That  happened  to  me  about  12  years  ago 
when  a  security  executive  at  a  bank  I  was 
tasked  to  support  erupted  and  carried  on 
about  a  risk-waiver  request. 

It  wasn’t  a  joke,  it  wasn’t  theatrics,  and 
it  wasn’t  pretty. 


To  be  clear,  his  actions  were  childish 
and  inappropriate,  but  they  created  an 
interesting  opportunity  to  engage  the  folks 
at  the  table,  even  if  not  by  design. 

As  a  result  of  his  outburst,  those  of 
us  left  in  the  meeting  started  talking;  we 
sought  common  ground  and  a  way  to  work 
together.  Unexpectedly,  I  had  become  posi¬ 
tioned  as  the  calmer  head  that  understood 
their  concerns. 

I  was  the  bridge  for  both  sides  to  get 
what  they  wanted. 

So  while  the  approach  of  raging  in  the 
office  is  not  recommended,  creating  genu¬ 
ine  opportunities  to  engage  the  people  we 
serve  is  important  to  advancing  individual 
careers  and  the  entire  security  team. 

Creating  Positive 
Opportunities  To  Engage 

I  recently  wrote  about  the  positive  impact  of 
“changing  the  label  (of  users)  to  change  the 
outcome.”  Specifically,  when  we  embrace 


working  with  individuals  by  their  name 
instead  of  using  the  generic  (and  harmful) 
term  “users,”  it  changes  the  outcome  and 
creates  an  opportunity  to  engage. 

When  someone  uses  language  that  is 
inclusive  and  inviting,  we  have  a  tendency 
to  pay  more  attention.  When  the  phrase 
“end  user”  is  replaced  with  “individual”— 
or  better,  with  the  actual  names  of  people- 
something  happens:  Someone  usually 
remarks  on  it. 

One  of  my  clients  tried  this  recently; 
they  took  a  document,  changed  the  word 
“user”  to  “people,”  and  circulated  the  altered 
document.  It  was  a  simple  change  that  drew 
a  handful  of  interesting  meetings— includ¬ 
ing  one  with  a  business  leader  who  noticed 
the  change  and  wanted  to  find  out  what 
happened. 

This  led  to  a  discussion  about  the 
renewed  focus  on  designing  solutions 
and  communications  to  meet  the  needs  of 
people.  It  created  an  opportunity  to  demon¬ 
strate,  before  explaining,  that  the  new  focus 
was,  in  fact,  different. 

So  while  changing  the  label  shifts  the 
outcome,  it  also  produces  the  opportunity 
engage  in  constructive  conversation  with 
our  colleagues.  And  that’s  the  opportunity: 
explaining  the  changes  in  a  real,  expressive 
conversation.  It  will  help  you  leave  behind 
the  sometimes  ill-deserved  reputation  as 
tyrants. 

In  its  place,  you’ll  build  a  new  approach 
where  we  recognize  our  users  as  indi¬ 
viduals  who,  in  turn,  recognize  us  as 
individuals.  ■ 


Author  o/Into  the  Breach,  Michael  Santar¬ 
cangelo  is  the  founder  of  Security  Catalyst,  a 
practice  devoted  to  harnessing  the  human  side 
of  security. 
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[  debriefing] 


Control  Issues 

Now  that  everything’s  networked  and  process  control 
systems  are  easy  to  hack,  here’s  a  quick-reference  guide 
to  figuring  out  who’s  behind  each  incident 


Your  car  starts  broadcasting  your  emails  and 
voice  mails  at  random  intervals 


Anonymous 


Local  Redbox  only  dispenses  porn 


Malicious  computer 
science  majors 


Toilets  in  middle  school  flush  continuously 


Bored  middle 
schoolers 


Wii  controller  can  be  used  to  make  your 
fridge  dispense  lemonade  ice  cubes 


Your  kids  (duh) 


All  dams  east  of  the  Mississippi  open 
simultaneously 


All  bank  vaults  east  of  the  Mississippi  open 
simultaneously 


Mafia 


■ 


China 
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Traditional  thinking  about 
security  can  have  a  chilling  effect 
on  your  business. 


Desktop  Virtualization.  A  better  way 
to  minimize  risk  without  compromising 
business  productivity. 

You  need  a  security  approach  that  can  evolve 
with  your  needs.  Device  proliferation  and  flexible 
workstyles  require  new  thinking. 

Citrix  desktop  virtualization  is  a  better  way  for 
companies  to  fortify  security  without  freezing 
business  productivity.  It  provides  the  foundation 
for  a  layered  security  strategy  that  enables 


desktops,  applications  and  data  to  be  delivered 
securely,  on  demand,  to  any  device. 

And  since  applications  and  data  are  secured  at 
the  data  center-and  not  at  the  endpoint-you  get 
increased  control  and  visibility  without  restricting 
worker  performance  and  business  agility. 

Citrix  desktop  virtualization.  It's  the  coolest  thing  to 
happen  to  security. 

Visit  www.citrix.com/secure 


©  201 1  Citrix  Systems,  Inc.  All  rights  reserved.  Citrix®  is  a  registered  trademark  of  Citrix  Systems,  Inc.  and/or  one  or  more  of 
its  subsidiaries  and  may  be  registered  in  the  United  States  Patent  and  Trademark  Office  and  in  other  countries. 
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cloud  security. 

can  you  see  beyond  the  problem? 
you  can 

The  #1  issue  for  companies  migrating  to  the  cloud  is  identity  and  access  management. 

But  for  the  agile  business,  know- ing  users  is  always  better  than  no-ing  them. 

In  fact,  agile  businesses,  using  our  Content-Aware  Identity  and  Access  Management  solutions, 
have  been  able  to  reduce  security  risk  while  improving  productivity,  access  and  efficiency.  More 
effective  compliance,  reduced  IT  risk,  broader,  more  secure  customer  and  partner  relationships. 

That’s  what  happens  when  no  becomes  know.  And  security  turns  into  agility. 

To  see  how  we  can  help  make  your  business  more  agile  and  secure,  visit  ca.com 


agility 

made  possible" 


technologies 
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